also sprach David Lang <[email protected]> [2016-01-28 17:15 +1300]:
rsyslog has a per-action cache of files that have been written to
by that action, when you start writing to a new one, and the cache
is full, rsyslog will close the least recently written to file
(which can be a big problem if your cache isn't large enough and
you try to write to the just-evicted file a ms later)
I do not understand this, or the implications this has. :(
Does this affect dynamic filenames, i.e. filenames with the date in
them?
This affects only dynamid filenames. Rsyslog does not understand why the names
change from one log write to the next, so it doesn't know that this is date
based.
All it does is the following
1. apply the template to get a path string referencing a filename
2. check the DynaFileCache for this action to see if the file is already open
(if so, write the log to the file)
3. if the file is not already open, check to see if there is a slot open in the
DynaFileCache. (If so, open the file, add the file to the cache, and write
the log to the file.)
4. if there are no slots left in the cache, fine the file in the cache that has
not been written to the longest, close it (which flushes the data to disk, which
you have to wait for), and then open the new file, add it to the cache and write
the log to the file
Think about what would happen if you have a cache size of 1 file (it's actually
10 or 128, but it's easier to give an example with a size of 1)
a log comes in with a time of 23:59:59, you create the filename, open the file,
write to the file, and keep the file open
the next log that arrives has a time of 00:00:00 (with a new date), so you have
to close the first file, wait for disk I/O, open the second file, and write the
log, keeping the second file open
The next log that arrives came from a machine that has it's clock a smidge
behind the one you just handled, it says the time is 23:59:59 still, so you
close the new file, wait for I/O, open the first file, write to disk
then another log comes with the new day.....
you aren't that likely to get into trouble this way if your dynamic file
template just has datetime info (depending on how accurately time is synced in
your network), but if you have hostnames and you have 500 slots in the cache,
but 501 machines sending you logs in a perfect round-robin fashion, every log
message that you get will require closing a file, waiting for disk I/O and
opening another file. If you get into this condition, performance will be
horrific.
David Lang
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
